AWS Certified SysOps Administrator Associate SOA-C02 (SOA-C02) — Questions 301375

1546 questions total · 21pages · All types, answers revealed

Page 4

Page 5 of 21

Page 6
301
MCQhard

A company has a VPC with public and private subnets. An Application Load Balancer (ALB) is deployed in the public subnets, and an Auto Scaling group of web servers is deployed in the private subnets. The web servers need to frequently make HTTPS requests to an external API. The API provider requires that all requests originate from a consistent set of static IP addresses for whitelisting. The SysOps administrator must ensure that outbound traffic from the web servers has static source IP addresses. Which solution should be implemented?

A.Place the web servers in public subnets and assign each instance an Elastic IP address.
B.Deploy a NAT gateway in a public subnet with an Elastic IP and route outbound traffic from the private subnets through the NAT gateway.
C.Create a VPC endpoint for the external API service.
D.Use AWS Global Accelerator to provide static IP addresses for outbound traffic.
AnswerB

The NAT gateway provides a static Elastic IP for outbound traffic from private instances, fulfilling the requirement securely.

Why this answer

Option B is correct because a NAT gateway placed in a public subnet with an Elastic IP provides a consistent, static source IP for all outbound traffic from instances in private subnets. The web servers route their outbound HTTPS requests through the NAT gateway, which performs source NAT (SNAT) using the Elastic IP, satisfying the API provider's whitelisting requirement. This design keeps the web servers in private subnets for security while ensuring a fixed public IP for outbound traffic.

Exam trap

The trap here is that candidates confuse AWS Global Accelerator's static IPs for inbound traffic with the need for static outbound IPs, or mistakenly think VPC endpoints can be used for any external service, when they only work with supported AWS services.

How to eliminate wrong answers

Option A is wrong because placing web servers in public subnets with Elastic IPs would expose them directly to the internet, bypassing the ALB and compromising security; it also requires managing individual Elastic IPs per instance, which is not scalable for an Auto Scaling group. Option C is wrong because a VPC endpoint is used for private connectivity to AWS services (e.g., S3, DynamoDB) via the AWS network, not for reaching external HTTPS APIs over the internet; it does not provide static IP addresses for outbound traffic to third-party endpoints. Option D is wrong because AWS Global Accelerator provides two static Anycast IP addresses for inbound traffic to your application endpoints (e.g., ALB, NLB), not for outbound traffic from instances; it does not affect the source IP of outbound requests from web servers.

302
MCQhard

A company has a mission-critical application running on EC2 instances in an Auto Scaling group. The application stores state locally on the instance. The company wants to update the application to a new version with minimal downtime. The update requires a change to the instance configuration. What deployment strategy should be used?

A.Rolling update
B.Canary deployment
C.Immutable update
D.Blue/green deployment
AnswerD

Blue/green creates a new environment, allowing state to be migrated or offloaded, then switches traffic.

Why this answer

A blue/green deployment creates a new environment (green) with the new version and then switches traffic. This minimizes downtime and allows state to be handled by offloading to an external service. Rolling updates would cause downtime and state loss if instances are replaced.

Immutable updates replace instances, causing state loss. Canary deployments are for testing, not full production updates.

303
Multi-Selecteasy

A company is designing a backup strategy for its Amazon S3 buckets. Which TWO methods can be used to protect against accidental deletion or overwriting of objects? (Choose two.)

Select 2 answers
A.Enable S3 Versioning on the bucket.
B.Enable MFA Delete on the bucket.
C.Configure S3 Cross-Region Replication.
D.Enable S3 Object Lock in compliance mode.
E.Enable default encryption (SSE-S3) on the bucket.
AnswersA, D

Retains all versions, enabling recovery.

Why this answer

Options A and D are correct. S3 Versioning retains all versions, allowing recovery from accidental deletion or overwrite. S3 Object Lock prevents objects from being deleted or overwritten for a specified period.

Option B is wrong because MFA Delete requires multi-factor authentication for delete operations but does not prevent overwrites. Option C is wrong because default encryption does not protect against deletion. Option E is wrong because cross-region replication does not prevent deletion in the source bucket.

304
MCQeasy

A company has a VPC that requires DNS resolution for custom domain names within the VPC. They want to use a private hosted zone in Amazon Route 53. Which resource is required to associate the private hosted zone with the VPC?

A.A resolver rule
B.A public hosted zone
C.A VPC
D.A CNAME record
AnswerC

A private hosted zone must be associated with one or more VPCs to be accessible within those VPCs.

Why this answer

To associate a private hosted zone with a VPC in Amazon Route 53, you must specify the VPC ID and the AWS Region of the VPC. The VPC itself is the required resource because the private hosted zone is scoped to one or more VPCs, enabling DNS resolution for custom domain names only within those VPCs. Without a VPC association, the private hosted zone cannot serve DNS queries.

Exam trap

The trap here is that candidates often confuse the resource needed for association (the VPC) with DNS record types or resolver configurations, mistakenly thinking a CNAME record or resolver rule is required to link the hosted zone to the VPC.

How to eliminate wrong answers

Option A is wrong because a resolver rule is used with Route 53 Resolver to forward DNS queries to or from on-premises networks, not to associate a private hosted zone with a VPC. Option B is wrong because a public hosted zone is used for DNS resolution over the internet, not for private DNS within a VPC, and it cannot be associated with a VPC. Option D is wrong because a CNAME record is a DNS record type that maps an alias to a canonical name, not a resource that associates a hosted zone with a VPC.

305
MCQmedium

A company uses AWS CloudFormation to deploy infrastructure. The SysOps administrator has a template that creates an Amazon EC2 instance and an Amazon RDS DB instance. The administrator needs to reuse the same template for development, test, and production environments, where the only differences are the EC2 instance type and the RDS DB instance class. Which CloudFormation feature should be used to define these environment-specific values?

A.Nested stacks
B.Parameters
C.Mappings
D.Conditions
AnswerB

Parameters accept input values at stack creation, making the template reusable with different instance types and DB classes per environment.

Why this answer

Parameters are the correct CloudFormation feature because they allow you to pass environment-specific values (such as EC2 instance type and RDS DB instance class) into the template at stack creation or update time. This enables reuse of the same template across development, test, and production environments without modifying the template itself, simply by providing different parameter values for each environment.

Exam trap

The trap here is that candidates often confuse Mappings (which are static and cannot be changed per stack instance) with Parameters (which are dynamic and input at runtime), leading them to incorrectly choose Mappings for environment-specific values that must vary per deployment.

How to eliminate wrong answers

Option A is wrong because nested stacks are used to compose infrastructure from multiple templates or to isolate reusable components, not to inject environment-specific variable values into a single template. Option C is wrong because mappings provide static lookup tables (e.g., mapping environment names to instance types) but cannot be overridden at runtime; they are hardcoded in the template and not suitable for values that must change per deployment. Option D is wrong because conditions control whether a resource or property is created or omitted based on a condition (e.g., deploy a resource only in production), but they do not define or pass variable values like instance type or DB class.

306
Multi-Selecthard

A SysOps administrator is troubleshooting a slow-running Amazon RDS for PostgreSQL instance. The administrator suspects that a specific query is causing high I/O. Which tools should be used together to identify the query and its I/O impact? (Choose THREE.)

Select 3 answers
A.Amazon RDS Performance Insights
B.Amazon CloudWatch Logs
C.AWS CloudTrail
D.Amazon RDS Enhanced Monitoring
E.RDS Performance Insights with database load and wait events
AnswersA, D, E

Shows top SQL queries and their load.

Why this answer

Amazon RDS Performance Insights (A) provides a database performance dashboard that visualizes database load and identifies the specific queries causing high load, including I/O wait events. By correlating this with Amazon RDS Enhanced Monitoring (D), which offers OS-level metrics like read/write IOPS and queue depth, you can pinpoint the exact query and its I/O impact. The combination of RDS Performance Insights with database load and wait events (E) directly surfaces the query text and the wait types (e.g., IO:DataFileRead) to confirm high I/O.

Exam trap

The trap here is that candidates might select CloudWatch Logs or CloudTrail thinking they can capture query logs or API calls to diagnose performance, but neither provides the real-time database load breakdown or OS-level I/O metrics needed to identify the specific query and its I/O impact.

307
MCQmedium

A SysOps administrator ran the above AWS CLI command to update an existing CloudFormation stack. The command failed with the error shown. What is the most likely cause?

A.The template file has a syntax error.
B.The stack is in a failed state from a previous operation and must be deleted or rollback continued.
C.The parameter values provided are invalid.
D.The IAM role specified lacks permissions.
AnswerB

Stacks in ROLLBACK_COMPLETE cannot be updated until the rollback is resolved.

Why this answer

Option C is correct. The error indicates the stack is in ROLLBACK_COMPLETE state, which means a previous stack creation or update failed and rolled back. To update a stack in ROLLBACK_COMPLETE, you must first delete it or execute a continue update rollback.

Option A (template syntax) is not indicated; the error is about stack state. Option B (permissions) would give a different error. Option D (parameter values) would also give a different error.

308
MCQhard

A SysOps administrator is responsible for a multi-tier web application running on AWS. The application consists of an Application Load Balancer (ALB), an Auto Scaling group of EC2 instances, and an Amazon RDS for MySQL database. Recently, the operations team has been receiving alerts from CloudWatch that the ALB's 'HTTPCode_Target_5XX_Count' metric is spiking periodically. The team has also noticed that the database CPU utilization is high during these spikes. The application logs show that some requests are timing out. The administrator needs to identify the root cause and implement a remediation. After reviewing the architecture, the administrator rules out the database as the bottleneck because the database connections are pooled and the query response times are normal. The administrator suspects that the issue is related to the application server's health. Which course of action should the administrator take to diagnose and resolve the issue?

A.Increase the health check timeout and threshold to allow for transient high CPU usage.
B.Add an Amazon ElastiCache cluster to cache database queries.
C.Decrease the health check interval to detect unhealthy instances faster.
D.Increase the idle timeout on the ALB to keep connections open longer.
AnswerA

This reduces false positive health check failures during short-lived CPU spikes, preventing unnecessary 5xx errors.

Why this answer

Option A is correct because the periodic spikes in ALB 5xx errors, high database CPU, and application timeouts, combined with normal query response times and pooled connections, strongly suggest that the application servers are becoming overwhelmed and failing health checks. By increasing the health check timeout and threshold, the ALB will allow the EC2 instances more time to recover from transient CPU or memory pressure before being marked unhealthy and removed from service, which prevents unnecessary instance replacement and reduces the cascading load on remaining instances and the database.

Exam trap

The trap here is that candidates often assume high database CPU means the database is the bottleneck, but the question explicitly states query response times are normal and connections are pooled, so the real issue is application server health causing retries and cascading load, which is remediated by tuning health check sensitivity rather than adding caching or changing timeouts.

How to eliminate wrong answers

Option B is wrong because adding an ElastiCache cluster addresses database read performance, but the database is not the bottleneck (query response times are normal and connections are pooled), so caching would not resolve the application server health issue causing the 5xx errors. Option C is wrong because decreasing the health check interval would cause the ALB to check instances more frequently, potentially marking them unhealthy even faster during transient spikes, worsening the problem by cycling instances out of service more aggressively. Option D is wrong because increasing the idle timeout on the ALB keeps connections open longer, which does not address the root cause of application server health failures; it would only delay connection closure, potentially masking the issue and increasing resource consumption on already stressed instances.

309
Multi-Selecthard

A company uses AWS OpsWorks for configuration management. The administrator needs to deploy a new application version to a stack of EC2 instances. The instances are part of a layer that has a custom recipe. Which THREE steps are required to update the application? (Choose THREE.)

Select 3 answers
A.Run the 'Execute Recipes' stack command to run the new recipe.
B.Run the 'Update Custom Cookbooks' stack command.
C.Run the 'Deploy' stack command to deploy the new application.
D.Update the app in the OpsWorks console to point to the new application version.
E.Update the custom cookbook with the new recipe for the application deployment.
AnswersA, B, E

This runs the specified recipe on the instances.

Why this answer

Options B, D, and E are correct. Updating the custom cookbook with the new recipe, running the 'Update Custom Cookbooks' stack command to fetch the latest cookbook, and then running the recipe via 'Execute Recipes' stack command are the required steps. Option A (update app) is for OpsWorks for Chef Automate, not for custom recipes.

Option C (deploy command) is for built-in deployment, not custom recipes.

310
Drag & Dropmedium

Drag and drop the steps to create an Amazon CloudWatch alarm that sends an email notification when CPU utilization exceeds 90% into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First set up the SNS topic, then create the alarm selecting the metric, define the condition, and finally add the notification action.

311
MCQeasy

A company wants to ensure that its EC2 instances automatically recover from an instance failure. Which feature should be used?

A.Create a CloudWatch alarm that sends an email when the instance status check fails.
B.Configure an Auto Scaling group with a launch configuration.
C.Attach the instance to an Elastic Load Balancer.
D.Enable EC2 Auto Recovery on the instance.
AnswerD

Correct: EC2 Auto Recovery automatically recovers an instance if it becomes impaired.

Why this answer

Option B is correct because EC2 Auto Recovery automatically recovers an instance if it becomes impaired due to an underlying hardware failure. Option A is wrong because EC2 Auto Scaling replaces instances based on scaling policies, not for individual instance failures. Option C is wrong because Elastic Load Balancing distributes traffic, it does not recover instances.

Option D is wrong because CloudWatch alarms can trigger actions but not directly recover an instance by themselves.

312
MCQhard

A company uses Amazon CloudFront to serve static content from an S3 bucket. The S3 bucket is configured as an origin with RestrictBucketAccess set to Yes, and the origin access identity (OAI) is configured. Users can access the content via CloudFront, but direct S3 URLs return Access Denied. However, some users report that they can still access the content directly via S3 URLs. What is the most likely reason?

A.The OAI is not properly associated with the CloudFront distribution.
B.The S3 bucket policy allows public read access in addition to the OAI.
C.The CloudFront distribution is using a custom origin instead of S3.
D.CloudFront is using pre-signed URLs that are being shared.
AnswerB

If the bucket policy allows public read, direct access is possible despite OAI.

Why this answer

Option B is correct because if the bucket policy allows public read access, it overrides the OAI restriction. The OAI only restricts access if the bucket policy explicitly denies all principals except the OAI. Option A is wrong because the OAI is properly set up.

Option C is wrong because CloudFront does not use pre-signed URLs for OAI. Option D is wrong because if the OAI is not in the bucket policy, the default is public access if the bucket is public.

313
MCQeasy

A company has an Auto Scaling group of EC2 instances that are critical for production. The SysOps administrator needs to be notified immediately when any instance in the group enters the 'InService' state after a scale-out event. Which approach should be used?

A.Create a CloudWatch alarm on the Auto Scaling group metric 'GroupTotalInstances' with a threshold of 1.
B.Use CloudTrail to monitor the 'CompleteLifecycleAction' API call and send notifications via CloudWatch Events.
C.Configure an Auto Scaling lifecycle hook that sends a notification to an SNS topic when the instance transitions to the 'InService' state.
D.Configure an Amazon SQS queue and have the EC2 instances send a message when they become 'InService'.
AnswerC

Lifecycle hooks provide a direct mechanism to notify when an instance reaches a specific state.

Why this answer

Option C is correct because Auto Scaling lifecycle hooks can be configured to send a notification to an SNS topic when an instance transitions to the 'InService' state. This allows the SysOps administrator to be notified immediately after a scale-out event, as the lifecycle hook pauses the instance during the transition and sends the notification before completing the action.

Exam trap

The trap here is that candidates may confuse lifecycle hooks with CloudWatch alarms or CloudTrail, thinking that monitoring API calls or aggregate metrics can provide per-instance state notifications, but only lifecycle hooks offer a native, event-driven mechanism tied directly to the instance state transition.

How to eliminate wrong answers

Option A is wrong because the 'GroupTotalInstances' metric tracks the total number of instances in the Auto Scaling group, not the state of individual instances; a threshold of 1 would trigger on any change in instance count, not specifically when an instance enters 'InService'. Option B is wrong because 'CompleteLifecycleAction' is an API call made by the administrator or automation to signal the completion of a lifecycle action, not a notification that an instance has entered 'InService'; CloudTrail logs API calls but does not directly send notifications for state transitions. Option D is wrong because having EC2 instances send a message to an SQS queue when they become 'InService' requires custom scripting and does not provide a native, reliable mechanism tied to the Auto Scaling lifecycle; it also introduces latency and potential failure points.

314
Drag & Dropmedium

Drag and drop the steps to configure a VPC peering connection between two VPCs into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the peering request, then accept it, then update route tables in both VPCs, and finally adjust security groups.

315
MCQhard

A company uses AWS Backup to back up its Amazon EFS file system daily. The backup retention policy is set to 30 days. Recently, a user accidentally deleted a critical directory. The company wants to restore the directory as it existed 2 days ago. What is the MOST cost-effective and quickest way to achieve this?

A.Use the EFS console to recover the directory from the .Trash folder.
B.Enable EFS replication to another region and then fail back.
C.Use AWS Backup to restore the entire file system to an on-premises server, then copy the directory back.
D.Restore the backup from 2 days ago to a new EFS file system, then copy the directory to the original file system.
AnswerD

This allows selective directory recovery from the backup.

Why this answer

Option B is correct because AWS Backup creates recovery points that can be restored to a new EFS file system, and then the specific directory can be copied. Option A is wrong because EFS does not have a native trash feature. Option C is wrong because enabling EFS replication is not a backup replacement and does not provide point-in-time recovery.

Option D is wrong because restoring to an on-premises server is unnecessary and slower.

316
MCQhard

A SysOps administrator discovers that an EC2 instance was compromised because the SSH key pair was leaked. The administrator wants to ensure that future access to EC2 instances is secured using a method that does not rely on static keys. Which solution should the administrator implement?

A.Use a bastion host with a security group that allows SSH from a limited IP range.
B.Create a new key pair and distribute it securely to authorized users.
C.Use AWS Systems Manager Session Manager to connect to instances.
D.Use EC2 Instance Connect to connect to instances.
AnswerD

EC2 Instance Connect provides one-time SSH keys and uses IAM policies for access control.

Why this answer

Option C is correct because EC2 Instance Connect allows users to connect using IAM policies and does not require managing SSH keys. Option A is wrong because Systems Manager Session Manager also provides secure access without keys, but it requires the SSM Agent and instance IAM role. Option B is wrong because it is similar to SSH key pairs.

Option D is wrong because it still uses key pairs.

317
Multi-Selectmedium

A company is using Amazon RDS for MySQL with Multi-AZ deployment. They want to optimize costs while maintaining high availability. Which TWO actions should the SysOps administrator take?

Select 2 answers
A.Purchase Reserved Instances for the database instance.
B.Remove Multi-AZ to reduce costs.
C.Enable auto scaling for the RDS instance to handle variable load.
D.Review the instance size and downsize if it is over-provisioned.
E.Move to a single-AZ deployment and take snapshots for recovery.
AnswersA, D

Reserved Instances provide a discount for a 1- or 3-year commitment.

Why this answer

Option A is correct because reserved instances offer significant discounts. Option C is correct because rightsizing to a smaller instance reduces cost if the current instance is over-provisioned. Option B is wrong because removing Multi-AZ sacrifices high availability.

Option D is wrong because moving to a single-AZ also sacrifices availability. Option E is wrong because enabling auto scaling is not a feature of RDS for cost optimization.

318
MCQmedium

A SysOps administrator is troubleshooting a failed AWS CloudFormation stack creation. The error message indicates that an IAM role creation failed because the role already exists. The administrator wants to ensure the stack creation can proceed without manual intervention. What should the administrator do?

A.Modify the template to use a unique name for the IAM role.
B.Use the 'Retain' deletion policy on the IAM role resource.
C.Manually delete the existing IAM role and retry the stack creation.
D.Use a stack policy to prevent the creation of the IAM role.
AnswerA

Using a unique name (e.g., with stack name appended) avoids naming conflicts.

Why this answer

The correct answer is D because setting a unique name (e.g., using !Sub or !Join with stack name) avoids conflicts. Option A is incorrect because the stack will still fail. Option B is incorrect because the administrator wants automated recovery.

Option C is incorrect because the role already exists in the account, not just in the stack.

319
MCQeasy

A company uses Amazon CloudWatch Logs to store application logs. The logs are retained indefinitely. The compliance team requires logs to be retained for 7 years. What is the MOST cost-effective way to meet this requirement?

A.Export logs to Amazon S3 and immediately transition to S3 Glacier Deep Archive.
B.Export logs to Amazon S3 and create an S3 Lifecycle policy to transition objects to S3 Glacier Deep Archive after 7 years.
C.Disable logging after 7 years to stop incurring costs.
D.Set a log retention policy in CloudWatch Logs to expire logs after 7 years.
AnswerD

Retention policies automatically delete logs after the specified period, saving costs.

Why this answer

Option A is correct because CloudWatch Logs supports log retention policies that automatically expire logs after a specified period, reducing storage costs. Option B is wrong because exporting to S3 and then using S3 Lifecycle is more complex and may incur additional costs. Option C is wrong because exporting to S3 Glacier is an option but not the most cost-effective for 7-year retention if logs are accessed rarely; however, retention policy is simpler.

Option D is wrong because disabling logging is not compliant.

320
MCQeasy

A SysOps administrator needs to monitor the memory utilization of an EC2 instance running Windows Server. Which steps are required to collect memory metrics?

A.Install and configure the Amazon CloudWatch agent on the instance.
B.Install the AWS Systems Manager Agent (SSM Agent) and use Run Command.
C.Enable detailed monitoring on the EC2 instance.
D.Use the AWS Management Console to enable memory monitoring.
AnswerA

The CloudWatch agent can collect memory and disk metrics.

Why this answer

Amazon CloudWatch does not collect memory metrics from EC2 instances by default; it only captures hypervisor-level metrics such as CPU, network, and disk I/O. To monitor in-guest memory utilization on a Windows Server instance, you must install and configure the Amazon CloudWatch agent, which sends custom metrics (e.g., Memory % Committed Bytes In Use) to CloudWatch. The agent uses the Windows Performance Monitor (PerfMon) counters to gather this data.

Exam trap

The trap here is that candidates assume memory metrics are automatically available or can be enabled via a simple console toggle, when in fact they require the CloudWatch agent to be installed and configured on the instance.

How to eliminate wrong answers

Option B is wrong because the AWS Systems Manager Agent (SSM Agent) and Run Command are used for management tasks like patching or executing scripts, not for collecting and publishing memory metrics to CloudWatch. Option C is wrong because enabling detailed monitoring only increases the frequency of existing hypervisor-level metrics (e.g., CPU, network) from 5 minutes to 1 minute; it does not add in-guest memory metrics. Option D is wrong because the AWS Management Console does not have a built-in toggle to enable memory monitoring; memory metrics require the CloudWatch agent to be installed and configured on the instance.

321
Multi-Selectmedium

A company is using Amazon CloudFront to distribute content globally. They want to restrict access to their content so that only users from specific countries can access it. Which TWO actions can be taken to achieve this?

Select 2 answers
A.Configure an S3 bucket policy with a condition for aws:SourceIp.
B.Configure CloudFront geo restriction (whitelist or blacklist) at the distribution level.
C.Use IAM policies to restrict access based on the user's location.
D.Use AWS WAF associated with CloudFront to create a rule that blocks requests based on geographic origin.
E.Set up an Application Load Balancer rule to deny traffic from certain IP ranges.
AnswersB, D

CloudFront can restrict based on country.

Why this answer

Option B is correct because CloudFront geo restriction allows you to whitelist or blacklist countries at the distribution level, directly controlling access based on the geographic location of the viewer's IP address. This is a native CloudFront feature that does not require additional services, making it a straightforward solution for country-based access control.

Exam trap

The trap here is that candidates often confuse the ability to use S3 bucket policies with aws:SourceIp for CloudFront-distributed content, not realizing that CloudFront acts as a proxy and the source IP seen by S3 is the CloudFront edge IP, not the end user's IP.

322
Multi-Selectmedium

A SysOps administrator is troubleshooting an issue where an Application Load Balancer (ALB) is returning 503 errors to clients. The target group has healthy EC2 instances. Which THREE possible causes should the administrator investigate? (Choose three.)

Select 3 answers
A.The load balancer is not attached to a subnet.
B.The security group for the load balancer is blocking traffic.
C.The load balancer has reached its capacity limit.
D.The target group has no registered targets.
E.The target group health check is misconfigured.
AnswersB, C, D

Can cause 503 if inbound/outbound rules are wrong.

Why this answer

Options A, B, and D are correct. An ALB returns 503 if no healthy targets are registered, if the load balancer is at capacity, or if there is a misconfigured security group blocking traffic. Option C is wrong because an unhealthy target group would show unhealthy instances.

Option E is wrong because a missing subnet would prevent the ALB from being created or functioning, but the ALB is already working.

323
MCQeasy

A company runs a web application on Amazon EC2 instances that have variable traffic patterns. The application experiences steady baseline traffic with occasional spikes. The SysOps administrator wants to optimize costs while ensuring performance during spikes. Which pricing model should be used for the baseline capacity and for the burst capacity?

A.Reserved Instances for baseline, Spot Instances for burst capacity
B.On-Demand Instances for baseline, Reserved Instances for burst capacity
C.Spot Instances for baseline, On-Demand Instances for burst capacity
D.Dedicated Hosts for baseline, Spot Instances for burst capacity
AnswerA

Reserved Instances reduce cost for predictable baseline usage. Spot Instances are cost-effective for bursts that can tolerate interruptions.

Why this answer

Reserved Instances provide a significant discount (up to 72%) over On-Demand for steady-state workloads, making them ideal for baseline capacity. Spot Instances offer the lowest cost (up to 90% discount) but can be interrupted with a 2-minute warning, which is acceptable for burst capacity that can tolerate interruptions or be designed to failover gracefully. This combination minimizes cost while ensuring the baseline always runs and burst capacity can be added during spikes.

Exam trap

The trap here is that candidates often assume On-Demand is the only safe choice for baseline or that Spot Instances are too risky for any production use, but the question specifically allows for burst capacity that can tolerate interruptions, making Spot the optimal cost-saving choice.

How to eliminate wrong answers

Option B is wrong because Reserved Instances are designed for predictable, long-term workloads, not for burst capacity that is temporary and variable; using them for bursts would lock in capacity that may go unused, wasting money. Option C is wrong because Spot Instances can be terminated at any time, making them unreliable for baseline capacity that must always be available; using On-Demand for bursts is more expensive than using Spot for bursts. Option D is wrong because Dedicated Hosts are a physical server dedicated to a single customer, which is overkill and costly for baseline capacity that does not require dedicated hardware or licensing restrictions; they do not provide cost optimization for variable traffic.

324
Multi-Selecthard

A company is using a t3.medium EC2 instance for a development web server. The instance is underutilized most of the time. Which TWO actions would optimize costs? (Choose TWO.)

Select 2 answers
A.Enable EBS optimization.
B.Downsize the instance to t3.small.
C.Purchase a Reserved Instance for the instance.
D.Change the instance to On-Demand.
E.Use Spot Instances for the workload.
AnswersB, C

Smaller instance costs less.

Why this answer

Options A and C are correct. A is correct because t3 instances can use unlimited mode to burst CPU, but if underutilized, standard mode with T2/T3 unlimited disabled may be cheaper; however, t3 instances are already burstable. Actually, for cost optimization, downsizing to t3.small (A) saves cost.

Purchasing a Reserved Instance (C) for steady usage saves cost. Option B is wrong because switching to On-Demand doesn't save. Option D is wrong because Spot Instances are not suitable for development if they need to be available always.

Option E is wrong because EBS optimization is unnecessary.

325
MCQeasy

A company wants to create a disaster recovery (DR) strategy for its RDS for PostgreSQL database. The primary database is in us-east-1. The company needs a recovery point objective (RPO) of less than 5 minutes and a recovery time objective (RTO) of less than 1 hour. Which solution meets these requirements?

A.Enable Multi-AZ in us-east-1 and create a standby in a different Availability Zone.
B.Create a cross-region Read Replica in us-west-2 and promote it during a disaster.
C.Use AWS Database Migration Service (DMS) to continuously replicate to an EC2 instance.
D.Take daily automated snapshots and copy them to us-west-2.
AnswerB

Low RPO and RTO.

Why this answer

Option B is correct because a cross-region Read Replica can be promoted to a primary in another region, achieving low RPO (seconds) and low RTO (minutes). Option A is wrong because snapshots have higher RPO and RTO. Option C is wrong because DMS is for migration, not DR.

Option D is wrong because single-region Multi-AZ does not protect against region failure.

326
MCQeasy

A company wants to enforce that all IAM users in an AWS account must use multi-factor authentication (MFA) to access the AWS Management Console. Which IAM policy effect should be used to deny access if MFA is not present?

A.Allow with a condition that aws:MultiFactorAuthPresent is false
B.Allow with a condition that aws:MultiFactorAuthPresent is true
C.Deny with a condition that aws:MultiFactorAuthPresent is false
D.Deny with a condition that aws:MultiFactorAuthPresent is true
AnswerC

This explicitly denies access when MFA is not present, effectively enforcing MFA for all users.

Why this answer

The correct approach is to use a Deny effect in a condition that checks if MFA is present. Option B is correct because it denies access when the condition 'aws:MultiFactorAuthPresent' is false. Option A is wrong because Allow would grant access even without MFA.

Option C is wrong because it allows access only when MFA is present, but does not deny when missing. Option D is wrong because it allows access when MFA is not present.

327
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application experiences variable traffic with occasional spikes. The SysOps administrator wants to optimize costs while ensuring that the application can handle spikes without performance degradation. The current setup uses a fixed number of instances. Which action should the administrator take?

A.Purchase Reserved Instances for the current number of instances to reduce hourly cost.
B.Implement an Auto Scaling group with a target tracking scaling policy based on ALB request count per target.
C.Replace on-demand instances with Spot Instances for all traffic.
D.Increase the instance size to a compute-optimized type to handle spikes.
AnswerB

Correct: Auto Scaling dynamically adjusts capacity, optimizing cost and performance.

Why this answer

Option C is correct because Auto Scaling with a target tracking policy on ALB request count allows the number of instances to adjust based on traffic, handling spikes and reducing instances during low traffic. Option A (increase instance size) may handle spikes but is expensive for low traffic. Option B (Reserved Instances) locks in a fixed capacity.

Option D (Spot Instances) are cheaper but can be interrupted, risking performance degradation during spikes.

328
MCQmedium

A SysOps administrator is tuning the health check of an Auto Scaling group. The group uses an ALB. The application takes up to 2 minutes to start. The health check settings are: HealthCheckGracePeriod=300, HealthCheckType=EC2. The administrator notices that instances are often marked unhealthy and terminated shortly after launch. What should the administrator change?

A.Change the HealthCheckType to EC2 (already EC2, but change to ELB).
B.Increase the HealthCheckGracePeriod to 600 seconds.
C.Change the HealthCheckType to ELB.
D.Decrease the HealthCheckGracePeriod to 120 seconds.
AnswerA

ELB health checks can be configured to check the application endpoint after it is ready.

Why this answer

Option C is correct: The HealthCheckGracePeriod is 300 seconds (5 minutes), which is sufficient for the 2-minute startup. However, HealthCheckType=EC2 means the ASG uses EC2 status checks, not ALB health checks. The EC2 status checks may fail if the instance is not fully initialized.

Changing to ELB health checks allows the ASG to use the ALB health check, which can be configured to wait for the application to respond. Option A is incorrect because the grace period is already long enough. Option B is incorrect because increasing the grace period doesn't fix the health check type mismatch.

Option D is incorrect because decreasing the grace period would make the problem worse.

329
MCQmedium

A company has a web application running on EC2 instances behind an Application Load Balancer (ALB). The application uses sticky sessions (session affinity) based on cookies. Recently, the SysOps team noticed that user sessions are being lost intermittently, causing users to be logged out. The team checks the ALB configuration and finds that the stickiness is enabled with a cookie name 'AWSALB' and duration of 1 hour. The application also sets its own cookie. What is the most likely cause of session loss?

A.The ALB's health check interval is too short, causing instances to be marked unhealthy
B.The application cookie is overwriting the ALB's stickiness cookie
C.Cross-zone load balancing is disabled on the ALB
D.The application's session cookie has a shorter expiration than the ALB's stickiness duration
AnswerD

If the application cookie expires, the session is lost even though the ALB still routes to the same instance.

Why this answer

Option A is correct because if the application's cookie is set to expire before the ALB's stickiness duration, the session may be lost when the application cookie expires. Option B is wrong because cross-zone load balancing does not affect stickiness. Option C is wrong because health checks do not remove stickiness unless the instance becomes unhealthy.

Option D is wrong because the ALB generates its own cookie; the application setting a cookie does not interfere unless it overwrites.

330
MCQhard

An organization is using AWS OpsWorks for Chef Automate to manage configuration of EC2 instances. The administrator notices that a new cookbook version is not being applied to existing instances in a layer. The cookbook is stored in a private Amazon S3 bucket and the instances have an instance profile that allows read access. What is the MOST likely reason for this issue?

A.The cookbook version is not being automatically downloaded because the instances are not rebooted.
B.The S3 bucket policy does not grant the necessary permissions to the instance profile.
C.The 'Update Cookbooks' stack command needs to be run manually to apply the new cookbook version to existing instances.
D.The Chef client on the instances is not configured to run automatically.
AnswerC

Why C is correct

Why this answer

Option C is correct because in OpsWorks, cookbooks are automatically updated only during the Setup or Configure lifecycle events. To force an update on existing instances, the administrator must run the 'Update Cookbooks' stack command or trigger a Configure lifecycle event. Option A is incorrect because the S3 permissions appear correct.

Option B is incorrect because the cookbook version is not automatically downloaded when a new version is published; an update must be triggered. Option D is incorrect because the Chef client runs automatically, but it does not fetch new cookbooks unless told to do so.

331
MCQmedium

A SysOps administrator needs to monitor memory utilization of an Amazon EC2 instance. The default Amazon CloudWatch metrics for EC2 do not include memory utilization. Which solution should the administrator implement to collect memory metrics and set alarms?

A.Install the CloudWatch agent on the instance and configure it to collect memory metrics
B.Enable detailed monitoring on the EC2 instance
C.Use AWS Systems Manager Patch Manager to report memory usage
D.Use AWS CloudTrail to log memory events
AnswerA

The CloudWatch agent can capture OS-level metrics (memory, disk, etc.) and send them to CloudWatch, allowing alarms to be created.

Why this answer

The CloudWatch agent is specifically designed to collect custom metrics, such as memory utilization, from EC2 instances and on-premises servers. Unlike the default EC2 metrics, which only capture hypervisor-level metrics (e.g., CPU, disk I/O, network), memory utilization requires OS-level access. The CloudWatch agent uses the `mem` plugin to gather memory data and can publish it to CloudWatch as custom metrics, enabling alarm configuration.

Exam trap

The trap here is that candidates often confuse 'detailed monitoring' with the ability to collect additional metrics, but detailed monitoring only increases the resolution of existing metrics, not the scope of what is collected.

How to eliminate wrong answers

Option B is wrong because enabling detailed monitoring increases the frequency of existing EC2 metrics (e.g., CPU, disk I/O) from 5 minutes to 1 minute, but it does not add new metrics like memory utilization. Option C is wrong because AWS Systems Manager Patch Manager is used for patching and compliance, not for collecting or reporting memory usage metrics. Option D is wrong because AWS CloudTrail logs API calls and management events, not OS-level performance data like memory utilization.

332
Multi-Selecthard

Which TWO actions should a SysOps administrator take to secure an S3 bucket that stores sensitive data? (Choose two.)

Select 2 answers
A.Enable S3 Block Public Access settings on the bucket.
B.Enable cross-origin resource sharing (CORS) on the bucket.
C.Enable S3 Versioning.
D.Enable S3 server access logging.
E.Enable S3 Transfer Acceleration.
AnswersA, D

This prevents any public access to the bucket.

Why this answer

Options A and E are correct. Enabling S3 Block Public Access prevents public access, and enabling S3 server access logging provides audit logs. Option B is wrong because CORS is for cross-origin requests, not security.

Option C is wrong because S3 Transfer Acceleration is for faster uploads, not security. Option D is wrong because versioning helps with data protection but not direct security control.

333
MCQhard

A company runs a critical application on a fleet of EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application uses an Amazon RDS MySQL Multi-AZ DB instance for persistent storage. The SysOps administrator recently configured a lifecycle hook on the Auto Scaling group to perform a custom action before instance termination. During a recent scale-in event, the administrator noticed that some requests were still being routed to the terminating instance, causing errors. The ALB's deregistration delay is set to 300 seconds. The lifecycle hook has a default timeout of 3600 seconds. The administrator wants to ensure that the instance completes its custom action and that all in-flight requests are drained before the instance is terminated. The custom action typically takes 120 seconds. What should the administrator do to resolve this issue?

A.Change the lifecycle hook to use the 'Replace and terminate' type instead of 'Terminate'.
B.Disable the lifecycle hook and rely solely on the ALB's deregistration delay to drain connections.
C.Reduce the lifecycle hook timeout to 120 seconds. Keep the deregistration delay at 300 seconds.
D.Increase the deregistration delay to 600 seconds. Keep the lifecycle hook timeout at 3600 seconds.
AnswerC

This allows the custom action to complete within the hook timeout, then the ALB completes draining before termination.

Why this answer

Option A is correct because reducing the lifecycle hook timeout to match the custom action duration (120 seconds) and keeping the deregistration delay slightly higher (e.g., 300 seconds) ensures that the instance completes its custom action and then ALB finishes draining requests before the instance terminates. Option B is wrong because increasing the deregistration delay to 600 seconds would delay termination unnecessarily and might not align with the lifecycle hook. Option C is wrong because disabling the lifecycle hook removes the custom action.

Option D is wrong because changing to 'Replace and terminate' lifecycle hook type would terminate the old instance before launching a new one, which could cause capacity issues.

334
MCQhard

A SysOps administrator is deploying a CloudFormation stack that includes an AWS::ECS::Service resource. The service uses a task definition that references a container image stored in Amazon ECR. The stack creation fails with the error: 'Unable to assume the service-linked role.' What is the MOST likely cause?

A.The task execution role does not have permissions to pull the container image from ECR.
B.The CloudFormation service role does not have permission to create ECS resources.
C.The ECR repository policy does not grant access to the ECS service.
D.The ECS service-linked role does not exist in the account.
AnswerD

CloudFormation fails if the required service-linked role is missing.

Why this answer

Option B is correct because ECS requires a service-linked role (AWSServiceRoleForECS) to manage resources, and if it does not exist, CloudFormation will fail. Option A is wrong because the task execution role is separate from the service-linked role. Option C is wrong because ECR permissions are for pulling images, not for the service role.

Option D is wrong because CloudFormation uses its own role, not the service-linked role.

335
MCQhard

A SysOps Administrator is configuring a VPC with a public subnet and a private subnet. The public subnet has an Internet Gateway. An EC2 instance in the private subnet needs to access an S3 bucket. What is the MOST secure way to provide this access?

A.Attach an Internet Gateway to the private subnet.
B.Create a VPC Gateway Endpoint for S3 in the private subnet's route table.
C.Use a VPC peering connection to an S3 bucket.
D.Create a NAT Gateway in the public subnet and route traffic through it.
AnswerB

Correct because a Gateway Endpoint provides secure, private access to S3.

Why this answer

Option D is correct because a VPC Gateway Endpoint for S3 provides private connectivity without traversing the internet. Option A is wrong because a NAT Gateway with a public subnet is less secure and incurs costs. Option B is wrong because an Internet Gateway would expose the instance.

Option C is wrong because VPC peering does not provide S3 access.

336
MCQmedium

A company uses AWS CodeDeploy to deploy an application to an Auto Scaling group. The deployment fails because the target instances are not passing the health checks. The administrator reviews the CodeDeploy deployment logs and finds that the application installation succeeded but the built-in health check failed. What should the administrator do to resolve this issue?

A.Modify the AppSpec file to set the 'healthCheckGracePeriod' to a higher value.
B.Modify the AppSpec file to include a script in the 'AfterInstall' lifecycle event that restarts the web server.
C.Modify the AppSpec file to run a script in the 'ApplicationStop' lifecycle event.
D.Modify the AppSpec file to include a script in the 'Validate Service' lifecycle event that performs a custom health check.
AnswerD

The Validate Service event is specifically for custom health checks after deployment.

Why this answer

The Validate Service lifecycle hook is used to run health checks after installation. Option B is correct. Option A is wrong because the ApplicationStop hook runs before installation.

Option C is wrong because AfterInstall runs before validation. Option D is wrong because the AppSpec file is not used to skip health checks.

337
Multi-Selecthard

A company wants to implement a disaster recovery solution for its on-premises database using AWS. The solution must have an RPO of less than 1 hour and an RTO of less than 4 hours. Which THREE steps should the SysOps administrator take? (Choose THREE.)

Select 3 answers
A.Set up a cross-Region read replica for the RDS instance.
B.Launch an EC2 instance with the database software and configure replication.
C.Use AWS Database Migration Service (DMS) to replicate data to an RDS instance.
D.Use AWS DataSync to sync the database files to Amazon S3.
E.Configure the RDS instance with Multi-AZ.
AnswersA, C, E

Allows failover to another Region.

Why this answer

Options B, C, and E are correct. AWS DMS can replicate data continuously to RDS, meeting RPO. RDS with Multi-AZ provides automatic failover.

An RDS read replica in another Region provides cross-region failover. Option A is wrong because S3 is not suitable for live database replication. Option D is wrong because EC2 with self-managed replication is more complex and may not meet RTO.

338
MCQhard

A company runs a critical database on an RDS for PostgreSQL instance in a single Availability Zone. The database experiences high write latency. The SysOps Administrator needs to improve the database's reliability and performance without downtime. Which solution meets these requirements?

A.Modify the RDS instance to be Multi-AZ with a standby in another Availability Zone.
B.Create a Multi-AZ deployment in the same Availability Zone.
C.Increase the allocated storage for the RDS instance.
D.Create a read replica in another Availability Zone and redirect read traffic.
AnswerA

Provides high availability and failover, and can be done without downtime.

Why this answer

Option B is correct because enabling Multi-AZ provides high availability with automatic failover, and it can be modified without downtime. Option A is wrong because converting to Multi-AZ in a single AZ does not improve performance. Option C is wrong because creating a read replica does not improve write performance.

Option D is wrong because increasing storage size might help performance but does not improve reliability.

339
Multi-Selecteasy

Which TWO actions can reduce costs for an Amazon EC2 environment that runs non-critical batch jobs that can be interrupted? (Choose TWO.)

Select 2 answers
A.Use Scheduled Reserved Instances.
B.Associate Elastic IP addresses with the instances.
C.Use Dedicated Hosts.
D.Use Spot Instances for the batch jobs.
E.Use On-Demand Instances.
AnswersA, D

Allows reservation for specific time windows, cost-effective for predictable schedules.

Why this answer

Scheduled Reserved Instances allow you to reserve capacity for recurring time windows, such as daily or weekly batch jobs. This provides a significant discount over On-Demand pricing (up to 30-40%) while ensuring capacity is available when needed, making it cost-effective for predictable, interruptible workloads.

Exam trap

The trap here is that candidates often overlook Scheduled Reserved Instances as a cost-saving option for predictable batch jobs, mistakenly thinking only Spot Instances apply, or they confuse Elastic IP addresses with cost reduction when they actually add cost if not managed properly.

340
MCQeasy

A SysOps administrator has deployed an Application Load Balancer (ALB) that distributes traffic to a fleet of Amazon EC2 instances. The administrator notices that the ALB is sending all traffic to instances in a single Availability Zone (AZ), ignoring instances in other AZs. The ALB was created with default settings. Which action should the administrator take to ensure traffic is distributed evenly across all AZs?

A.Enable cross-zone load balancing on the ALB.
B.Enable connection draining on the target group.
C.Enable sticky sessions (session stickiness) on the target group.
D.Configure health checks on the target group to ensure unhealthy instances are not used.
AnswerA

Cross-zone load balancing distributes incoming traffic across all instances in all AZs where the ALB is enabled. By default, it is enabled for Application Load Balancers, but if the administrator created the ALB with an older API or modified it, it may have been disabled. Enabling it will spread traffic evenly.

Why this answer

By default, an Application Load Balancer distributes traffic evenly across the registered targets in each enabled Availability Zone, but it does not distribute traffic evenly across zones. This means if one AZ has more healthy targets than another, traffic is still split 50/50 between AZs, not across all instances equally. Enabling cross-zone load balancing on the ALB ensures that traffic is distributed evenly across all healthy targets in all enabled AZs, regardless of the number of instances in each zone.

Exam trap

The trap here is that candidates often assume ALB distributes traffic evenly across all instances by default, but the default behavior is to distribute traffic evenly across Availability Zones, not across individual instances.

How to eliminate wrong answers

Option B is wrong because connection draining (also known as deregistration delay) is used to complete in-flight requests before an instance is deregistered or becomes unhealthy, not to distribute traffic across AZs. Option C is wrong because sticky sessions (session stickiness) bind a client's requests to a specific target instance, which can actually prevent even distribution across AZs by concentrating traffic on a single instance. Option D is wrong because health checks only mark unhealthy instances as out of service; they do not influence how traffic is distributed across AZs—traffic would still be sent to healthy instances in the same AZ even if other AZs have healthy instances.

341
MCQeasy

Which AWS service can be used to create a private, dedicated connection between an on-premises data center and AWS?

A.AWS Site-to-Site VPN
B.AWS Transit Gateway
C.VPC Peering
D.AWS Direct Connect
AnswerD

Dedicated private connection from on-prem to AWS.

Why this answer

Option C is correct because AWS Direct Connect provides a dedicated private connection. Option A is wrong because VPN provides encrypted tunnels over the internet, not dedicated. Option B is wrong because VPC Peering connects VPCs.

Option D is wrong because Transit Gateway connects multiple VPCs and on-premises via VPN or Direct Connect.

342
MCQhard

A company is running a critical application on Amazon EC2 instances. The application performance has degraded over the past week. The SysOps administrator suspects a memory leak. The administrator needs to collect detailed memory usage metrics every minute and store them for 30 days. Which solution is the MOST cost-effective and operationally efficient?

A.Use AWS CloudTrail to log memory usage and store the logs in Amazon S3.
B.Enable default EC2 monitoring to collect memory metrics every 5 minutes.
C.Enable detailed monitoring on the EC2 instances to collect memory metrics every 1 minute.
D.Install the CloudWatch agent on the EC2 instances to collect memory metrics and publish them to CloudWatch.
AnswerD

The CloudWatch agent can collect memory metrics and publish them as custom metrics with 1-minute resolution.

Why this answer

Option D is correct because the CloudWatch agent is specifically designed to collect custom metrics like memory utilization from EC2 instances, which are not available through default or detailed EC2 monitoring. By installing the agent and configuring it to publish memory metrics to CloudWatch every minute, the administrator can meet the requirement for 1-minute granularity and 30-day retention cost-effectively, as CloudWatch retains metric data at 1-minute resolution for 15 days by default, but can be extended to 30 days via a custom metric retention setting.

Exam trap

The trap here is that candidates often confuse detailed EC2 monitoring (which only covers hypervisor-level metrics) with in-guest monitoring, assuming that enabling detailed monitoring will capture memory usage, but memory is a guest OS metric that requires the CloudWatch agent.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail logs API activity, not system-level metrics like memory usage; it cannot capture memory utilization data from EC2 instances. Option B is wrong because default EC2 monitoring collects metrics (e.g., CPU, network) every 5 minutes, not memory metrics, and the 5-minute interval does not meet the 1-minute requirement. Option C is wrong because detailed EC2 monitoring collects metrics every 1 minute but only includes hypervisor-level metrics (e.g., CPU, disk I/O, network); memory metrics are not provided by EC2 monitoring and require an in-guest agent like the CloudWatch agent.

343
Multi-Selectmedium

A SysOps administrator is planning a VPC design with high availability for an application that must tolerate the failure of an entire Availability Zone. Which TWO configurations should be implemented? (Select TWO.)

Select 2 answers
A.Use a single NAT Gateway for all private subnets.
B.Deploy a NAT Gateway in each Availability Zone.
C.Launch EC2 instances in at least two Availability Zones.
D.Use a placement group to ensure instances are in different AZs.
E.Use only one public subnet and one private subnet.
AnswersB, C

Provides AZ-level redundancy for outbound traffic.

Why this answer

Option B is correct because deploying a NAT Gateway in each Availability Zone ensures that private subnets in each AZ have a route to the internet via a NAT Gateway that resides in the same AZ, preventing cross-AZ data transfer costs and maintaining high availability if an entire AZ fails. Option C is correct because launching EC2 instances in at least two Availability Zones provides fault tolerance at the compute layer, allowing the application to continue serving traffic even if one AZ becomes unavailable.

Exam trap

The trap here is that candidates often think a single NAT Gateway is sufficient for high availability because it is a managed service, but they overlook that it is still tied to a single AZ and will fail if that AZ fails, making per-AZ deployment essential for AZ-level fault tolerance.

344
MCQmedium

Refer to the exhibit. A SysOps administrator is troubleshooting connectivity issues for a web application that uses an ALB. The ALB sends health check requests to targets on port 443. The network ACL shown is associated with the target subnet. Based on the exhibit, what is causing the health checks to fail?

A.The network ACL allows inbound HTTPS (443) from 0.0.0.0/0, which includes the ALB, so this should work. The issue is likely elsewhere.
B.The network ACL does not allow inbound traffic from the ALB on ephemeral ports.
C.The network ACL is blocking inbound traffic from the internet, but health checks come from the ALB.
D.The network ACL does not allow inbound HTTP (port 80) from the ALB.
AnswerA

The NACL rules seem to allow health checks, so the problem might be elsewhere.

Why this answer

Option A is correct because the network ACL has an inbound rule (Rule 120) that denies all traffic (protocol -1) after allowing specific ports. However, health checks originate from the ALB's private IP addresses, which are not 0.0.0.0/0? Actually, the ALB's health check traffic comes from the ALB's subnet IPs, which might be in the same VPC or different? The NACL rule 100 allows TCP 443 from 0.0.0.0/0, which should include the ALB's IPs. But the deny rule 120 will block traffic not matching the allow rules.

However, health check traffic on port 443 should be allowed by rule 100. The issue might be that the NACL is stateless, and the ephemeral ports for response are not allowed. But the question is about health checks failing.

Option B is wrong because the ALB does not send health checks on port 80 unless configured. Option C is wrong because health checks originate from ALB, not internet. Option D is wrong because the NACL allows inbound 443 from 0.0.0.0/0.

345
MCQhard

An organization has a VPC with public and private subnets. The private subnets need to access the internet for software updates. A NAT gateway is deployed in a public subnet and the private subnet route table has a route for 0.0.0.0/0 pointing to the NAT gateway. However, instances in the private subnet cannot reach the internet. What could be the issue?

A.The NAT gateway's subnet does not have a route to an internet gateway
B.The private subnet's network ACL blocks outbound HTTPS traffic
C.The security group attached to the NAT gateway does not allow outbound traffic
D.The private instances do not have a public IP address assigned
AnswerA

The NAT gateway needs a route to the IGW to reach the internet.

Why this answer

Option C is correct because the NAT gateway must be in a public subnet with an internet gateway route; if the route table for the NAT gateway's subnet does not have a default route to the IGW, the NAT gateway cannot reach the internet. Option A is wrong because security groups for the NAT gateway do not affect internet access; NAT gateways are managed services. Option B is wrong because the private instances need a route to the NAT gateway, not a public IP.

Option D is wrong because the NAT gateway is in a public subnet, so the private subnet does not need a public IP.

346
MCQeasy

A SysOps administrator needs to receive an email notification when an IAM user's console login fails. Which AWS service should be used to set up this notification?

A.Amazon CloudWatch
B.AWS CloudTrail
C.Amazon Simple Notification Service (SNS)
D.AWS Config
AnswerA

CloudWatch can create a metric filter on a CloudTrail log group to count failed login events, set an alarm on that metric, and publish to SNS for email notification. CloudWatch is the core monitoring and alerting service.

Why this answer

Amazon CloudWatch can monitor AWS CloudTrail log events for IAM console login failures by creating a metric filter on the CloudTrail log group for the `ConsoleLogin` event with a `failure` status. When the filter matches, CloudWatch can trigger an alarm that sends an email notification via Amazon SNS. This is the correct service because CloudWatch is designed for monitoring and alerting on operational metrics and log patterns.

Exam trap

The trap here is that candidates often pick Amazon SNS directly, forgetting that SNS is a notification channel, not a monitoring service, and requires CloudWatch to detect the failure event first.

How to eliminate wrong answers

Option B (AWS CloudTrail) is wrong because CloudTrail only records API activity and audit logs; it cannot directly send email notifications or trigger alerts without CloudWatch. Option C (Amazon SNS) is wrong because SNS is a pub/sub messaging service that delivers notifications, but it cannot monitor or detect login failures on its own; it requires a trigger from another service like CloudWatch. Option D (AWS Config) is wrong because Config evaluates resource configurations and compliance rules, not real-time login events or authentication failures.

347
MCQmedium

A company uses AWS CloudFormation to manage infrastructure. They have a stack that creates an Amazon RDS DB instance. The database is in a VPC with public and private subnets. The DB instance is in a private subnet. When the stack is created, the DB instance is not accessible from an EC2 instance in the same VPC. What is the most likely cause?

A.The DB subnet group does not include the correct subnets.
B.The security group for the DB instance does not allow inbound traffic from the EC2 instance.
C.The VPC does not have an internet gateway attached.
D.The DB instance does not have a public IP address.
AnswerB

Security groups control inbound traffic; the DB instance's security group must allow traffic from the EC2 security group.

Why this answer

Option D is correct because the DB instance's security group must allow inbound traffic from the EC2 instance's security group. Option A is wrong because the DB instance is in a private subnet, so it doesn't have a public IP. Option B is wrong because the DB subnet group is configured correctly.

Option C is wrong because the VPC has a route to the internet, but that's not needed for internal communication.

348
MCQmedium

A company runs a web application on Amazon EC2 instances in an Auto Scaling group. The application experiences steady traffic during business hours and very low traffic overnight. The SysOps administrator wants to optimize costs by using a mix of On-Demand and Spot Instances. The administrator also requires that the total capacity never falls below the baseline level needed during business hours, even if Spot Instances are reclaimed. Which combination of Auto Scaling features should be used?

A.Use a mixed instances policy and set the 'On-Demand Base' capacity to the minimum number of instances required during business hours, and 'On-Demand percentage above base' to 0% so that any additional capacity is Spot.
B.Use a launch template that specifies a Spot Instance type and set the total capacity to the desired level, relying on capacity rebalance to replace interrupted Spot Instances.
C.Purchase Compute Savings Plans to cover the entire Auto Scaling group, and use only Spot Instances for all capacity.
D.Configure the Auto Scaling group with a launch template that sets the instance market to 'spot' and use a scaling policy that always maintains the minimum capacity.
AnswerA

This ensures at least the baseline number of On-Demand instances always run, meeting the availability requirement. Any extra capacity uses Spot Instances for cost savings.

Why this answer

Option A is correct because a mixed instances policy allows the Auto Scaling group to use both On-Demand and Spot Instances. By setting the 'On-Demand Base' capacity to the minimum number of instances required during business hours, you guarantee that baseline capacity is always fulfilled by On-Demand Instances, which are not subject to interruption. Setting 'On-Demand percentage above base' to 0% ensures that any additional capacity beyond the base is fulfilled by Spot Instances, optimizing cost while maintaining the required capacity floor.

Exam trap

The trap here is that candidates often assume that using Spot Instances with a scaling policy or capacity rebalance alone can guarantee capacity, but they fail to recognize that only On-Demand Instances provide a hard guarantee against interruption, which is why the mixed instances policy with an explicit On-Demand base is required.

How to eliminate wrong answers

Option B is wrong because using a launch template that specifies only a Spot Instance type and relying solely on capacity rebalance does not guarantee that the total capacity never falls below the baseline level during business hours; Spot Instances can be reclaimed at any time, and capacity rebalance only attempts to replace them but cannot guarantee uninterrupted capacity. Option C is wrong because Compute Savings Plans cover a commitment to spend a certain amount per hour but do not prevent Spot Instances from being reclaimed; if all capacity is Spot, the baseline could drop below the required level during interruptions. Option D is wrong because configuring the Auto Scaling group with a launch template that sets the instance market to 'spot' and using a scaling policy that always maintains the minimum capacity does not ensure that the minimum capacity is fulfilled by On-Demand Instances; Spot Instances can still be reclaimed, causing the actual capacity to fall below the minimum.

349
MCQhard

A SysOps administrator reviews the CloudWatch metrics for an EC2 instance as shown. The instance is part of an Auto Scaling group with a target tracking scaling policy based on average CPU utilization set to 50%. During the time period shown, what is the expected behavior?

A.The Auto Scaling group will not scale because the average CPU utilization over the hour is below 50%.
B.The Auto Scaling group will scale in because the CPU utilization dropped below 50% at the end.
C.The Auto Scaling group will scale out because CPU utilization exceeded 50% for several consecutive data points.
D.The Auto Scaling group will not scale because the metric shows a decline after the peak.
AnswerC

The policy will trigger scale-out when the metric breaches the target for enough consecutive periods.

Why this answer

Option C is correct because CPU utilization peaks at 95.1% at 00:20, exceeding the 50% target, so the Auto Scaling group should scale out. Option A is wrong because it does exceed the target. Option B is wrong because the average over the hour is around 47%, but the policy reacts to sustained breaches; the peak would trigger scaling.

Option D is wrong because scaling would occur.

350
MCQhard

A company hosts a critical web application on EC2 instances behind an Application Load Balancer. The security team enabled AWS WAF on the ALB to block SQL injection and XSS attacks. They also use AWS Shield Advanced for DDoS protection. Recently, the application experienced intermittent performance degradation during normal traffic patterns. The security team reviewed the WAF logs and found that legitimate user requests with query strings containing the word "select" (e.g., ?category=select+option) were being blocked. The team wants to ensure that only actual SQL injection attempts are blocked, not legitimate requests with similar patterns. What course of action should the SysOps administrator take to resolve this issue while maintaining security?

A.Disable the SQL injection rule in AWS WAF and rely solely on AWS Shield Advanced for protection.
B.Enable AWS Shield Advanced's automatic mitigation feature to handle all layer 7 attacks.
C.Create a custom WAF rule that inspects specific query string parameters with a more precise regex pattern to reduce false positives.
D.Replace the WAF SQL injection rule with a rate-based rule to limit request rates from specific IPs.
AnswerC

A custom rule with a targeted regex pattern can differentiate between actual SQL injection and legitimate uses of words like 'select'.

Why this answer

Option C is correct because AWS WAF allows you to create custom rules with conditions that can be scoped to specific parts of the request (e.g., URI path, query string). By creating a custom rule that targets the specific parameter (e.g., 'category') and uses a more precise regex pattern (like looking for SQL keywords in specific contexts), you can reduce false positives while still blocking actual SQL injection attempts. Option A is wrong because disabling the SQL injection rule entirely removes protection.

Option B is wrong because switching to rate-based rules does not address SQL injection false positives. Option D is wrong because Shield Advanced does not have the ability to fine-tune WAF rules; it focuses on DDoS protection.

351
MCQeasy

A SysOps administrator needs to allow traffic from a specific IP address range (203.0.113.0/24) to access an Amazon EC2 instance in a VPC. Which configuration step should be performed?

A.Create an IAM policy that allows inbound traffic from 203.0.113.0/24.
B.Add a rule to the network ACL associated with the subnet to allow inbound traffic from 203.0.113.0/24.
C.Modify the route table of the subnet to include a route for 203.0.113.0/24 to the internet gateway.
D.Add an inbound rule to the security group associated with the EC2 instance allowing traffic from 203.0.113.0/24.
AnswerD

Security groups act as a virtual firewall for the instance, and stateful rules are appropriate.

Why this answer

Option B is correct because a security group inbound rule allows traffic from the specified CIDR. Option A is wrong because network ACLs are stateless and less granular; security groups are preferred for host-level control. Option C is wrong because route tables control traffic flow between subnets, not access to instances.

Option D is wrong because IAM policies do not control network traffic.

352
MCQhard

A company runs a web application on AWS that uses an Application Load Balancer (ALB) across multiple Availability Zones. The application is deployed on EC2 instances in an Auto Scaling group behind the ALB. The RDS database is Multi-AZ with synchronous replication. Recently, the operations team noticed that during a planned failover test of the primary RDS instance, the application experienced a 30-second timeout and returned 503 errors to users. The RDS failover completed successfully, but the application did not recover until the Auto Scaling group replaced all instances. The application health check endpoint on the EC2 instances checks database connectivity. The ALB health check is configured to check the health check endpoint every 10 seconds with a threshold of 2 consecutive failures. The application uses a connection pool with a timeout of 5 seconds. What is the MOST likely cause of the 503 errors and the need to replace instances?

A.The EC2 instances are caching the RDS DNS name, causing them to connect to the old primary endpoint after failover. The application health check fails, leading to instance replacement.
B.The ALB health check threshold of 2 consecutive failures is too low, causing premature instance replacement.
C.The application connection pool timeout of 5 seconds is too short for RDS failover.
D.The Multi-AZ RDS configuration is insufficient; the company should implement a warm standby database in another Region.
AnswerA

DNS caching on EC2 instances causes them to attempt connections to the old primary endpoint until the TTL expires. This results in health check failures and instance replacement.

Why this answer

Option B is correct. The RDS DNS record is updated during failover, but DNS TTL caching on the EC2 instances causes them to continue connecting to the old primary endpoint until the TTL expires. The application's health check fails because it cannot connect to the database, causing the ALB to mark the instances unhealthy.

The Auto Scaling group then terminates and replaces the instances, which resolves the DNS cache on new instances. Option A is incorrect because the ALB health check threshold is 2 failures, but the timeout is longer than the health check interval; however, the root cause is DNS caching, not the health check configuration. Option C is incorrect because a warm standby would not address the DNS caching issue.

Option D is incorrect because the application is already using connection pooling, but the pool timeout of 5 seconds is not the primary issue; the DNS change propagation delay is.

353
MCQhard

A company runs a large number of EC2 instances across multiple accounts and regions. The finance team needs to track costs per project and department. Each EC2 instance must be tagged with a ProjectID and Department tag. A SysOps administrator needs to ensure that all newly launched EC2 instances are tagged automatically before they can be used, and that existing untagged instances are retroactively tagged. The tags must be propagated to cost reports in AWS Cost Explorer. Which combination of steps will achieve this with the least operational overhead?

A.Use AWS Config with auto-remediation to tag new instances, and activate the tags as cost allocation tags. For existing instances, run the Tag Editor with a CSV import.
B.Create an AWS Lambda function that tags instances at launch via CloudTrail events, and use AWS Budgets to enforce tagging.
C.Use AWS Cost Categories to automatically group costs based on resource tags.
D.Ensure all AMIs used have tags that propagate to instances, and enable cost allocation tags.
AnswerA

Correct. AWS Config auto-remediation tags non-compliant new instances; Tag Editor bulk-tags existing instances; activation in Billing console propagates tags to cost reports.

Why this answer

Option A is correct because AWS Config with auto-remediation can automatically tag newly launched EC2 instances using a custom Lambda function or SSM document triggered by a Config rule (e.g., 'required-tags'), ensuring compliance before instances are used. Activating the tags as cost allocation tags in AWS Cost Explorer allows the tags to appear in cost reports. For existing untagged instances, the Tag Editor with a CSV import provides a bulk, low-overhead method to retroactively apply tags across accounts and regions.

Exam trap

The trap here is that candidates may assume AMI tags propagate to instances or that AWS Budgets can enforce tagging, but neither is true; the correct approach requires a combination of proactive enforcement (Config auto-remediation) and retroactive bulk tagging (Tag Editor).

How to eliminate wrong answers

Option B is wrong because AWS Budgets cannot enforce tagging; it only sends alerts based on cost or usage thresholds, and does not automatically tag instances or prevent untagged instances from being used. Option C is wrong because AWS Cost Categories group costs based on existing tags or accounts, but they do not automatically tag instances or ensure that newly launched instances are tagged before use. Option D is wrong because AMI tags do not propagate to instances launched from them; instance tags must be explicitly specified at launch or applied via automation, and enabling cost allocation tags alone does not retroactively tag existing untagged instances.

354
MCQhard

A company has a VPC with multiple subnets across two Availability Zones. The company wants to set up a Network Load Balancer (NLB) to handle TCP traffic to a fleet of EC2 instances. The instances are in private subnets. Which configuration is necessary to ensure the NLB can route traffic to the instances?

A.Ensure the NLB is deployed in subnets that can route to the target subnets
B.Assign security groups to the NLB to allow inbound traffic
C.Configure a NAT gateway in each Availability Zone for the NLB to access the instances
D.Attach an internet gateway to the VPC and add a route to the NLB subnets
AnswerA

NLB must be in subnets that have routes to the target subnets; since targets are in private subnets, the NLB subnets must have appropriate routing.

Why this answer

Option D is correct because NLB targets can be instances in private subnets as long as the NLB has a subnet in each AZ where targets reside. Option A is wrong because NLB does not require an internet gateway. Option B is wrong because security groups are not used for NLB traffic.

Option C is wrong because NAT gateway is for outbound traffic.

355
Multi-Selecteasy

A company has an Application Load Balancer (ALB) that distributes traffic to EC2 instances. The company wants to enable path-based routing to send requests to different target groups. Which TWO resources must be created to achieve this?

Select 2 answers
A.Subnet for the ALB
B.Target group for each backend service
C.Network Load Balancer (NLB)
D.Listener rule with a path pattern condition
E.Security group for the ALB
AnswersB, D

Target groups group the instances for each service.

Why this answer

Option B (Listener rule) and Option D (Target group) are correct. A listener rule with conditions (e.g., path pattern) routes requests to the appropriate target group. Option A is wrong because a Network Load Balancer is not used.

Option C is wrong because a security group is for traffic filtering, not routing. Option E is wrong because a subnet is a network component, not a routing construct.

356
MCQeasy

A company wants to automatically start and stop an EC2 instance on a schedule to reduce costs. The instance runs a critical application that must be available from 8 AM to 6 PM weekdays. Which AWS service should be used to implement this scheduling?

A.AWS Instance Scheduler
B.AWS OpsWorks
C.AWS Systems Manager Automation
D.AWS CloudFormation
AnswerA

Instance Scheduler is a solution that automates start and stop schedules for EC2 and RDS instances based on tags.

Why this answer

Option C is correct because AWS Instance Scheduler is a solution that allows you to configure start and stop schedules for EC2 and RDS instances. Option A is wrong because Systems Manager Automation is for automating maintenance tasks, not scheduling instance start/stop. Option B is wrong because OpsWorks is for configuration management.

Option D is wrong because CloudFormation is for infrastructure as code, not scheduling.

357
MCQmedium

A company runs an application across multiple Availability Zones. The application servers are in private subnets and need outbound internet access to download software updates and patches. The SysOps administrator needs a highly available, fully managed solution to provide this outbound connectivity. Which solution should be used?

A.Deploy a NAT instance in each private subnet
B.Deploy a single NAT Gateway in one public subnet
C.Deploy a NAT Gateway in each public subnet
D.Attach an Internet Gateway directly to the private subnets
AnswerC

By deploying a NAT Gateway in each Availability Zone's public subnet and configuring private subnets to use the NAT Gateway in the same AZ, the solution is both fully managed and highly available. If one AZ fails, the other AZ's NAT Gateway continues to provide internet access.

Why this answer

Option C is correct because deploying a NAT Gateway in each public subnet provides a highly available, fully managed solution for outbound internet access from private subnets. NAT Gateways are managed by AWS, automatically scale, and are resilient within an Availability Zone; using one per AZ ensures that if one AZ fails, the others continue to provide outbound connectivity. This meets the requirement for high availability without the operational overhead of managing NAT instances.

Exam trap

The trap here is that candidates often confuse NAT Gateways with NAT instances or assume a single NAT Gateway is sufficient for high availability, overlooking the need for one per Availability Zone to achieve true fault tolerance.

How to eliminate wrong answers

Option A is wrong because NAT instances are self-managed EC2 instances that require manual patching, scaling, and failover configuration, which contradicts the 'fully managed' requirement and introduces a single point of failure if only one instance is used per subnet. Option B is wrong because a single NAT Gateway in one public subnet creates a single point of failure; if that Availability Zone becomes unavailable, all private subnets lose outbound internet access, violating the high availability requirement. Option D is wrong because attaching an Internet Gateway directly to private subnets would expose those subnets to inbound internet traffic, defeating the purpose of a private subnet and violating security best practices; Internet Gateways are designed for public subnets only.

358
MCQeasy

A SysOps administrator needs to audit all API calls made in an AWS account for compliance and security analysis. The logs must be stored securely for at least one year. Which AWS service should the administrator enable?

A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.AWS Config
D.Amazon GuardDuty
AnswerA

CloudTrail records API activity and delivers log files to S3, enabling auditing and compliance needs.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made in an AWS account, including the identity of the caller, the time of the call, the source IP address, and the request parameters. This audit log is essential for compliance and security analysis, and CloudTrail can be configured to store logs in an S3 bucket with lifecycle policies to retain them for at least one year.

Exam trap

The trap here is that candidates often confuse CloudTrail with CloudWatch Logs, thinking CloudWatch Logs can capture API calls, but CloudWatch Logs only stores logs from services that explicitly send them, not the full audit trail of API activity.

How to eliminate wrong answers

Option B (Amazon CloudWatch Logs) is wrong because CloudWatch Logs is designed for monitoring, storing, and accessing log files from AWS resources (e.g., EC2, Lambda), not for auditing API calls; it does not capture AWS API activity by default. Option C (AWS Config) is wrong because AWS Config evaluates resource configurations against desired policies and records configuration changes, but it does not log API calls or provide a record of who made changes. Option D (Amazon GuardDuty) is wrong because GuardDuty is a threat detection service that analyzes CloudTrail logs, VPC flow logs, and DNS logs for malicious activity, but it does not itself generate or store API call logs for auditing.

359
MCQmedium

A SysOps administrator is reviewing the reliability of a production system that uses Amazon DynamoDB as its primary data store. The table has on-demand capacity and a single partition key. The application experiences occasional throttling errors during peak hours. Which action would most effectively improve reliability?

A.Switch to provisioned capacity and set high read/write units.
B.Enable auto-scaling and increase the maximum capacity.
C.Review and optimize the partition key design to avoid hot partitions.
D.Enable DynamoDB Accelerator (DAX) to reduce read latency.
AnswerC

Even with on-demand, hot partitions can cause throttling; optimizing the key distributes load.

Why this answer

Option A is correct: On-demand capacity automatically scales to handle traffic spikes, but if the partition key design causes hot partitions, throttling can still occur. The most effective solution is to optimize the partition key to distribute workload evenly. Option B is incorrect because waiting for auto-scaling may not address hot partitions.

Option C is incorrect because increasing read/write capacity in provisioned mode is a manual process and may not solve hot partition issues. Option D is incorrect because DAX is a caching layer that reduces read load but does not help with write throttling or hot partitions.

360
Multi-Selecthard

Which THREE are valid methods to control access to an S3 bucket? (Choose three.)

Select 3 answers
A.VPC Flow Logs
B.Access control lists (ACLs)
C.Bucket policies
D.IAM user policies
E.CloudWatch Logs
AnswersB, C, D

Legacy access control mechanism.

Why this answer

Option A is correct because bucket policies are a method. Option B is correct because IAM policies can grant access to S3. Option D is correct because ACLs are a legacy method.

Option C is wrong because VPC Flow Logs are not access control. Option E is wrong because CloudWatch Logs are not access control.

361
MCQhard

A company has an S3 bucket that stores sensitive data. A SysOps administrator needs to detect when objects in the bucket are publicly accessible. Which AWS service should the administrator use to continuously monitor and report on public access?

A.AWS Config
B.S3 server access logs
C.Amazon GuardDuty
D.AWS Trusted Advisor
AnswerA

AWS Config can continuously evaluate S3 bucket policies against rules for public access.

Why this answer

AWS Config provides a managed rule called 's3-bucket-public-read-prohibited' and 's3-bucket-public-write-prohibited' that continuously evaluates S3 bucket policies and ACLs against the desired configuration. When a bucket becomes publicly accessible, AWS Config flags it as noncompliant and can trigger automated remediation or notifications. This makes it the correct service for ongoing monitoring and reporting of public access to sensitive data.

Exam trap

The trap here is that candidates often confuse 'detecting public access' with 'auditing access logs' (S3 server access logs) or 'threat detection' (GuardDuty), but the question specifically asks for continuous monitoring and reporting of the bucket's configuration state, which is exactly what AWS Config's managed rules provide.

How to eliminate wrong answers

Option B is wrong because S3 server access logs record detailed requests made to the bucket (e.g., requester, action, response status), but they do not evaluate or report on the bucket's public access configuration; they are used for auditing who accessed objects, not for detecting whether the bucket itself is publicly accessible. Option C is wrong because Amazon GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events for malicious activity, not S3 bucket policies or ACLs; it does not monitor public access settings on S3 buckets. Option D is wrong because AWS Trusted Advisor provides one-time or periodic checks (e.g., S3 Bucket Permissions check) but does not offer continuous, real-time monitoring or compliance reporting; it is a best-practice advisory tool, not a configuration monitoring service.

362
Multi-Selecteasy

A SysOps administrator is creating an Auto Scaling group using a launch template. The administrator wants to ensure that instances are automatically registered with an Application Load Balancer (ALB) target group. Which TWO steps are required? (Choose TWO.)

Select 2 answers
A.Configure the instance security group to allow traffic from the ALB.
B.Specify the target group ARN in the Auto Scaling group configuration.
C.Configure health checks on the Auto Scaling group to use ELB.
D.Create a security group for the ALB and attach it to the Auto Scaling group.
E.Include the target group ARN in the launch template.
AnswersA, B

Instances must accept traffic from the ALB to be healthy.

Why this answer

Option B is correct because the target group ARN must be specified in the Auto Scaling group to enable automatic registration. Option D is correct because the security group must allow traffic from the ALB to the instance. Option A is wrong because health checks are configured on the target group, not the Auto Scaling group.

Option C is wrong because the launch template does not attach to target groups. Option E is wrong because the ALB does not need a security group for health checks.

363
MCQeasy

A DevOps engineer needs to automate the creation of an Amazon RDS for MySQL DB instance in a VPC. The solution must use infrastructure as code. Which AWS service should be used to provision the database?

A.AWS OpsWorks
B.AWS Elastic Beanstalk
C.AWS CloudFormation
D.EC2 Auto Scaling
AnswerC

CloudFormation allows defining RDS as a resource in a template.

Why this answer

Option B is correct because AWS CloudFormation can define and provision AWS infrastructure, including RDS instances, as code. Option A is incorrect because AWS OpsWorks uses Chef/Puppet but is not the primary choice for simple RDS provisioning. Option C is incorrect because AWS Elastic Beanstalk is a PaaS service that manages application deployment, not infrastructure provisioning directly.

Option D is incorrect because EC2 Auto Scaling manages EC2 instances, not RDS.

364
MCQmedium

A company has a production AWS account with multiple IAM users. The security team wants to implement a policy that prevents users from launching EC2 instances without an IAM role that grants access to an S3 bucket containing sensitive data. The policy should also allow users to launch instances with other roles. A SysOps administrator creates an IAM policy that denies ec2:RunInstances if the instance does not have a specific IAM instance profile. However, users are still able to launch instances without any role. What is the most likely reason, and what should be done to fix it?

A.The condition key 'ec2:InstanceProfileArn' is misspelled; it should be 'ec2:IamInstanceProfile'.
B.The policy should be attached to the user's group instead of the user.
C.The policy needs to be applied as a service control policy (SCP) to be effective.
D.The condition key is incorrect; the policy should use 'ec2:InstanceProfile' condition key with a specific ARN.
AnswerD

The correct condition key is ec2:InstanceProfileArn.

Why this answer

Option C is correct because the condition key for instance profile is ec2:InstanceProfileArn, not ec2:IamInstanceProfile. Option A is wrong because the condition 'Null' does not evaluate to true for missing profile; the condition must check for specific ARN. Option B is wrong because SCPs are not involved unless using Organizations.

Option D is wrong because attaching the policy to the user does not fix the condition key issue.

365
MCQeasy

A company needs to deploy a set of microservices using Docker containers on AWS. The deployment should be automated and support scaling based on demand. Which AWS service should be used to orchestrate the containers?

A.AWS Lambda
B.AWS Elastic Beanstalk
C.Amazon ECS
D.AWS CodeDeploy
AnswerC

Amazon ECS is a container orchestration service that integrates with other AWS services.

Why this answer

Option D is correct. Amazon ECS is a fully managed container orchestration service that integrates with Auto Scaling and CloudWatch. Option A (Lambda) is for serverless functions, not containers.

Option B (Elastic Beanstalk) can deploy containers but is less flexible for microservices. Option C (CodeDeploy) is for application deployments, not orchestration.

366
MCQeasy

A SysOps administrator is creating an AWS CloudFormation template to deploy a web server. The template must define an Amazon EC2 instance, a security group, and an Elastic IP. In which section of the template should these resources be declared?

A.Parameters
B.Resources
C.Outputs
D.Mappings
AnswerB

The Resources section is the correct location to declare the AWS resources that will be created by the stack.

Why this answer

In an AWS CloudFormation template, the Resources section is the mandatory block where all AWS resources (such as EC2 instances, security groups, and Elastic IPs) are declared and configured. The template's logic for creating, updating, and deleting these infrastructure components is defined exclusively within this section, making B the correct choice.

Exam trap

The trap here is that candidates confuse the purpose of the Parameters section (input values) with the Resources section (resource definitions), often thinking that resources like EC2 instances are 'parameters' because they require configuration values like instance type or AMI ID.

How to eliminate wrong answers

Option A is wrong because the Parameters section is used to accept runtime input values (e.g., instance type, AMI ID) from the user, not to define the resources themselves. Option C is wrong because the Outputs section is used to export information about created resources (e.g., instance public IP) for use by other stacks or users, not to declare the resources. Option D is wrong because the Mappings section is used to create static lookup tables (e.g., mapping AWS regions to AMI IDs) for conditional values, not to define resources.

367
MCQhard

A SysOps administrator is setting up a Network Load Balancer (NLB) to handle millions of requests per second. The target group consists of EC2 instances that are in a single Availability Zone. Which of the following is a potential issue?

A.If the single AZ becomes unavailable, the NLB will fail over to other AZs automatically.
B.The NLB cannot be associated with only one Availability Zone.
C.The NLB cannot preserve the source IP address of the client.
D.The NLB will not be able to handle the traffic volume due to the single AZ limitation.

Why this answer

NLB is a regional service but cross-zone load balancing is disabled by default. If all targets are in one AZ, and cross-zone is off, traffic is distributed only to that AZ. However, if the NLB is in multiple AZs, it can still send traffic to targets in one AZ.

Option A is not a problem. Option B is not a problem because NLB supports high throughput. Option D is not a problem because NLB supports static IP.

368
MCQmedium

A company uses AWS CloudTrail to log API calls across all regions. The SysOps administrator notices that logs for a specific region are missing from the centralized S3 bucket. What is the most likely cause?

A.The CloudTrail trail is not enabled for that region.
B.The S3 bucket policy denies write access from CloudTrail for that region.
C.CloudTrail log file validation is disabled.
D.The IAM role for CloudTrail does not have permissions to write logs from that region.
AnswerA

Correct. CloudTrail must be explicitly enabled for each region or a multi-region trail must be used. Missing logs for a specific region strongly suggests the trail is not applied there.

Why this answer

CloudTrail trails can be configured to log API calls from specific regions or all regions. If logs for a particular region are missing from the centralized S3 bucket, the most likely cause is that the trail was not enabled for that region during trail creation or update. By default, a trail applied to all regions will automatically log activity from every region, but if the trail is configured for a single region or a subset, other regions will not have their logs delivered.

Exam trap

The trap here is that candidates often assume missing logs are due to a permissions or policy issue (options B or D), when in fact the most common root cause is a simple configuration oversight where the trail is not set to log from all regions or the specific region was not included.

How to eliminate wrong answers

Option B is wrong because if the S3 bucket policy denied write access from CloudTrail for that specific region, logs from all regions would likely be affected or the error would appear in CloudTrail’s delivery status, not just missing logs for one region. Option C is wrong because log file validation is a security feature that adds a digest file for integrity checks; disabling it does not prevent logs from being delivered to the S3 bucket. Option D is wrong because CloudTrail uses a service-linked role or a customer-managed IAM role that is not region-specific; if the role lacked permissions, logs from all regions would fail to be delivered, not just one region.

369
MCQmedium

A company has a VPC with a CIDR block of 10.0.0.0/16. They need to connect to an on-premises network using a site-to-site VPN. The on-premises network uses 10.0.0.0/16 as well. Which solution avoids routing conflicts?

A.Attach an Internet Gateway and use public IPs for communication.
B.Set up a second VPN connection to a different virtual private gateway.
C.Create a VPC peering connection between the VPC and on-premises network.
D.Use a NAT instance to translate addresses for overlapping ranges.
AnswerD

NAT can translate overlapping IPs.

Why this answer

Option D is correct because a NAT instance can translate the overlapping IP addresses from the on-premises network (10.0.0.0/16) to a different IP range within the VPC, allowing communication without routing conflicts. The NAT instance performs destination NAT (DNAT) for inbound traffic and source NAT (SNAT) for outbound traffic, effectively hiding the overlap. This is a common workaround when both networks use the same CIDR block and cannot be renumbered.

Exam trap

The trap here is that candidates often assume a second VPN connection or VPC peering can solve overlapping CIDR issues, but AWS requires unique, non-overlapping IP ranges for both VPN route propagation and VPC peering, making NAT the only viable option among the choices.

How to eliminate wrong answers

Option A is wrong because attaching an Internet Gateway and using public IPs does not resolve the routing conflict within the VPC; the VPC's route tables still have a local route for 10.0.0.0/16, which will conflict with the on-premises route, and traffic destined for the on-premises network would be incorrectly routed locally. Option B is wrong because setting up a second VPN connection to a different virtual private gateway does not address the overlapping CIDR; both VPN connections would still require unique, non-overlapping IP ranges for the route tables, and the conflict persists. Option C is wrong because VPC peering does not support overlapping CIDR blocks; AWS explicitly prohibits peering connections between VPCs with overlapping or identical IP ranges, and on-premises networks cannot be peered directly with a VPC.

370
MCQhard

A company uses AWS CloudFormation to deploy a stack that includes an Amazon RDS DB instance with Multi-AZ enabled. During a stack update, the database engine version is changed. The update fails with a rollback. What is the most likely cause?

A.The engine version upgrade is not supported for Multi-AZ deployments.
B.The DB instance class is not available for the new engine version.
C.The storage type is not compatible with the new engine version.
D.The DB subnet group does not have enough IP addresses.
AnswerA

Some engine version upgrades are not supported directly; they may require a manual process.

Why this answer

Option C is correct because modifying the DB engine version on a Multi-AZ instance requires a reboot of both the primary and standby, and if the upgrade is not supported, it fails. Option A is wrong because the storage type is not changed. Option B is wrong because the DB instance class is not changed.

Option D is wrong because the subnet group is not changed.

371
MCQmedium

A SysOps administrator notices that an EC2 instance running a web server is receiving unexpected traffic from an IP address that is known to be malicious. The administrator wants to block this IP address at the instance level. Which solution should be used?

A.Modify the network ACL to deny traffic from that IP.
B.Use AWS WAF to block the IP address.
C.Install a third-party firewall on the instance.
D.Update the security group to deny traffic from that IP.
AnswerA

NACLs support deny rules and can block IPs at subnet level.

Why this answer

Option D is correct because a network ACL is stateless and can block inbound traffic at the subnet level, but for instance-level blocking, a security group or host-based firewall is needed. However, among the options, a network ACL can block the IP at the subnet level, which is the closest AWS-native solution without installing software. Option A is wrong because security groups do not support deny rules.

Option B is wrong because NACLs can block IPs. Option C is wrong because WAF is for web application layer, not IP blocking at instance level.

372
Multi-Selectmedium

A company needs to audit all changes to AWS resources. Which THREE AWS services should be used together to achieve this? (Choose three.)

Select 3 answers
A.Amazon Inspector
B.AWS CloudTrail
C.Amazon CloudWatch Events
D.AWS Trusted Advisor
E.AWS Config
AnswersB, C, E

Records API calls.

Why this answer

Option A is correct because AWS Config records resource configuration changes. Option B is correct because CloudTrail records API calls. Option D is correct because CloudWatch Events can trigger notifications.

Option C is wrong because Inspector is for security assessments. Option E is wrong because Trusted Advisor is for best practices.

373
Multi-Selectmedium

A company wants to ensure that data in transit between an EC2 instance and an RDS database is encrypted. Which TWO actions should the SysOps administrator take? (Choose TWO.)

Select 2 answers
A.Use VPC peering to connect the EC2 instance and RDS database.
B.Enable SSL/TLS for the RDS DB instance.
C.Set up a VPN connection between the EC2 instance and the RDS database.
D.Enable encryption at rest for the RDS DB instance.
E.Configure the application to use SSL/TLS when connecting to the database.
AnswersB, E

RDS supports SSL/TLS for encrypting connections.

Why this answer

Option A is correct because RDS supports SSL/TLS for encrypting connections. Option D is correct because the client must use SSL/TLS to connect. Option B is wrong because encryption at rest is separate from in transit.

Option C is wrong because VPC peering does not encrypt traffic. Option E is wrong because VPN encrypts traffic but is not needed if SSL/TLS is used within the same VPC.

374
Multi-Selecthard

A company is using Amazon CloudWatch Logs to collect logs from multiple AWS services. The SysOps administrator needs to query logs across multiple log groups in real-time. Which THREE of the following are capabilities of CloudWatch Logs Insights?

Select 3 answers
A.Export query results directly to an S3 bucket.
B.Schedule queries to run at a specific time.
C.Run queries in real-time against incoming log data.
D.Visualize query results with bar charts and line graphs.
E.Query multiple log groups in a single query.
AnswersC, D, E

Insights queries are near real-time on log data ingested.

Why this answer

CloudWatch Logs Insights supports real-time queries against incoming log data, allowing you to analyze logs as they are ingested. This is enabled by its ability to query live streams without requiring data to be indexed first, making it suitable for real-time troubleshooting and monitoring.

Exam trap

The trap here is that candidates may confuse CloudWatch Logs Insights' real-time querying with scheduled or export capabilities, which are actually handled by separate AWS services like EventBridge or S3 Export tasks, not by Insights itself.

375
MCQhard

A company has three VPCs in the same AWS region: VPC A (production), VPC B (development), and VPC C (shared services). The VPCs have overlapping CIDR blocks (e.g., VPC A: 10.0.0.0/16, VPC B: 10.0.0.0/16, VPC C: 10.1.0.0/16). The SysOps administrator needs to enable private IP communication between VPC A and VPC C, and between VPC B and VPC C, but not between VPC A and VPC B. The solution must also support a growing number of VPCs in the future. Which AWS service should be used?

A.Use AWS Transit Gateway with attachment route tables that isolate traffic between VPCs, ensuring that VPC A and VPC B routes are separate.
B.Use AWS PrivateLink by creating a Network Load Balancer in VPC C and configuring VPC endpoints in VPC A and VPC B to access the services.
C.Create two VPC peering connections: one between VPC A and VPC C, and one between VPC B and VPC C.
D.Set up two AWS Site-to-Site VPN connections from VPC C to VPC A and VPC B using virtual private gateways.
AnswerB

AWS PrivateLink allows you to expose services in VPC C via a Network Load Balancer, and VPC A and VPC B can create interface VPC endpoints to connect to those services privately. This works even with overlapping CIDRs because the endpoints are assigned specific private IP addresses from the VPC's subnet and traffic is directed using endpoint-specific routing. It also scales well with additional VPCs.

Why this answer

AWS Transit Gateway (Option A) cannot be used because the VPCs have overlapping CIDR blocks (10.0.0.0/16 for both VPC A and VPC B), which prevents Transit Gateway from routing traffic correctly due to route conflicts. AWS PrivateLink (Option B) solves this by allowing VPC A and VPC B to access services in VPC C via VPC endpoints and a Network Load Balancer, without requiring direct IP routing between the VPCs, thus avoiding CIDR overlap issues and supporting future VPC growth.

Exam trap

The trap here is that candidates assume Transit Gateway or VPC peering can handle overlapping CIDRs through route table isolation, but AWS explicitly requires non-overlapping CIDRs for both services to function correctly, making PrivateLink the only viable option for this scenario.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway requires non-overlapping CIDR blocks for proper route propagation and routing; overlapping CIDRs (VPC A and VPC B both using 10.0.0.0/16) cause route conflicts that prevent Transit Gateway from distinguishing traffic between them. Option C is wrong because VPC peering does not support transitive routing and requires non-overlapping CIDRs to establish direct routes; overlapping CIDRs between VPC A and VPC B would prevent successful peering with VPC C due to route table conflicts. Option D is wrong because AWS Site-to-Site VPN connections also require non-overlapping CIDRs for the virtual private gateway to route traffic correctly; overlapping CIDRs would cause routing ambiguity and connectivity failures.

Page 4

Page 5 of 21

Page 6